Good Practice for Strong Passwords - Your Projects

This article was downloaded by: [University of Ulster at Coleraine] On: 18 November 2011, At: 07:48 Publisher: Taylor & Francis Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK

EDPACS Publication details, including instructions for authors and subscription information: http://www.tandfonline.com/loi/uedp20

Good Practice for Strong Passwords Kevin Curran, Jonathan Doherty, Ayleen McCann & Gary Turkington Available online: 18 Nov 2011

To cite this article: Kevin Curran, Jonathan Doherty, Ayleen McCann & Gary Turkington (2011): Good Practice for Strong Passwords, EDPACS, 44:5, 1-13 To link to this article: http://dx.doi.org/10.1080/07366981.2011.635497

PLEASE SCROLL DOWN FOR ARTICLE Full terms and conditions of use: http://www.tandfonline.com/page/terms-and-conditions This article may be used for research, teaching, and private study purposes. Any substantial or systematic reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to anyone is expressly forbidden. The publisher does not give any warranty express or implied or make any representation that the contents will be complete or accurate or up to date. The accuracy of any instructions, formulae, and drug doses should be independently verified with primary sources. The publisher shall not be liable for any loss, actions, claims, proceedings, demand, or costs or damages whatsoever or howsoever caused arising directly or indirectly in connection with or arising out of the use of this material.

EDPACS

THE EDP AUDIT, CONTROL, AND SECURITY NEWSLETTER NOVEMBER 2011 VOL. 44, NO. 5

Downloaded by [University of Ulster at Coleraine] at 07:48 18 November 2011

GOOD PRACTICE FOR STRONG PASSWORDS KEVIN CURRAN, JONATHAN DOHERTY, AYLEEN MCCANN, AND GARY TURKINGTON

Abstract. The creation of strong, secure passwords is vital in our life today due to the implications of compromised access to our data. Passwords are commonly used to prevent unauthorized access to important information, to guarantee security of personal information, and to prevent unauthorized access to various services. It seems that people tend to veer toward adopting the simplest characters in forming their passwords and they also tend to reuse the same password for multiple accounts. This is natural due to the weakness of the average human mind but it can lead to attack from any of the passwordcracking tools. This article will examine best practice in creating secure passwords.

INTRODUCTION Passwords have been around since ancient times as a security measure. A common use of passwords today is in protecting online accounts. However, they are not foolproof and have their flaws, which can be exploited all too easily. In 2009, a security breach of RockYou.com saw the theft of usernames, passwords, and e-mail addresses of over 32 million user accounts. These details were subsequently posted on the Web for people to see some of the passwords used. These passwords were then taken by a company called Impreva who went on to publicize bad passwords and better practices (Vance, 2010). The most common password used was ‘‘123456,’’ which was used by over 290,000 users. The fourth was ‘‘Password,’’ which was used by 62,000 users. Further analysis showed that it would take a hacker a total of 110 attempts to gain access to an account. It would take a mere 17 minutes to gain access to 1000 accounts. Social networks facilitate sharing of personal information, and the more data a person discloses, the more valuable they become to the service. However, social networking sites often have poor track records for security controls. For instance, they do not encourage users to select strong passwords.

IN THIS ISSUE n Good Practice for Strong Passwords

Editor DAN SWANSON Editor Emeritus BELDEN MENKUS, CISA

CELEBRATING OVER 3 DECADES OF PUBLICATION!

E

D P

A

C

S

NOVEMBER 2011


Passwords also never expire and we know that people often reuse the same password for all their accounts. This has led to an explosion in spiders being used on social networking sites to gather key words on individuals’ sites to feed into password generators to launch dictionary attacks to crack those user passwords on targeted individual sites. It is quite simply a brute force attack, often with them trying the top 20 passwords when attempting to break that account (Eston, 2010). It is essential therefore that users create strong secure passwords that cannot be easily guessed by third parties (Florencio & Herley, 2007). This reduces the risk of others gaining unauthorized access to important data. The overall security of the system must also be considered when choosing a password. For instance, asking users to remember difficult passwords or randomly generated passwords could lead to them being written down or saved electronically, creating more security risks. Another scenario that must be considered is how many attempts users will be allowed before the system locks them out. Most systems will lock a user after three failed attempts; however, online or interactive systems may allow unlimited attempts, which can create potential problems with hackers being able to try multiple guesses with no fear of being locked from the system (Schneier, 2000). There are also methods such as making the delay increase with the number of failed attempts, using secondary passwords when there are more than N failed attempts. Another solution to this, which is currently used on some websites (i.e., payment transactions for Blizzard Entertainment’s World of Warcrafti is to allow only a small number of attempts before an account lockout, but placing the lockout on a timer, in this case 72 hours) (Flatley, 2010). In this way, attackers can be circumnavigated without punishing actual users to the point where they must contact customer support in order to remove a permanent lockout. Restricting the rate at which hackers can guess passwords or make password attempts can greatly enhance security. For instance, imposing a short lock of several seconds after failed entry attempts can make it much harder for a hacker to gain access, as the time required for cracking the password will grow exponentially on top of the time required for breaking the password without the additional restriction. It can also help to enforce the use of secondary passwords or other authentication after the first one when there are too many guesses.

If you have information of interest to EDPACS, contact Dan Swanson ([email protected]). EDPACS (Print ISSN 07366981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800, Philadelphia, PA 19106. Periodicals postage is paid at Philadelphia, PA and additional mailing offices. Subscription rates: US$ 334/£202/E268. Printed in USA. Copyright 2011. EDPACS is a registered trademark owned by Taylor & Francis Group, LLC. All rights reserved. No part of this newsletter may be reproduced in any form — by microfilm, xerography, or otherwise — or incorporated into any information retrieval system without the written permission of the copyright owner. Requests to publish material or to incorporate material into computerized databases or any other electronic form, or for other than individual or internal distribution, should be addressed to Editorial Services, 325 Chestnut Street, Suite 800, Philadelphia, PA 19106. All rights, including translation into other languages, reserved by the publisher in the U.S., Great Britain, Mexico, and all countries participating in the International Copyright Convention and the Pan American Copyright Convention. Authorization to photocopy items for internal or personal use, or the personal or internal use of specific clients may be granted by Taylor & Francis, provided that $20.00 per article photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA. The fee code for users of the Transactional Reporting Service is ISSN 0736-6981/06/$20.00+$0.00. The fee is subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Product or corporate names may be trademarks or registered trademarks, and are only used for identification and explanation, without intent to infringe. POSTMASTER: Send address change to EDPACS, Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800, Philadelphia, PA 19106.

2

ª Copyright 2011 Taylor & Francis—All rights reserved.

E D P A C S


NOVEMBER 2011

The next security consideration is in the form of how passwords are saved and transmitted. For instance, if passwords are saved on the system as text, then an attacker who has managed to gain access to the system by some other means (i.e., an inserted Trojan) would find it simple to locate all the passwords stored there. Modern systems will generally store the password in a cryptographic form, encrypting the password with the hash value. This makes it harder for an attacker to gain the passwords without restricting user access to the system (Schneier, 2000). For those who may not trust their own ability to keep their passwords safe from prying eyes, a password manager may be the answer to their problems. A password manager allows the user to create a secure and encrypted username or a password list containing all the passwords required by the user. There are a number of managers on the market such as Password Safe, KeyPass, RoboForm, Whisper 32, and KeyWallet. There is also a free open source Windows passwordstorage tool—Password Safe, which again is designed to let users remember only one master password to access their password list. The entire password database is protected by some form of authentication, usually a password, and encryption. Password vaults come in many forms and run on platforms from mobile phones to all the various operating systems in common use. They vary in security as well, from paranoid use of authentication and draconian access rules to systems that can be easily overcome and in effect, are only slightly better than a sticky note. There are others, however, who believe that the risk of all the passwords aggregated into one password can be less secure.

PASSWORD CRACKING Often when a user is being challenged to create a new password for an account, rules are in place as to what characters are permissible and the minimum length. These rules may include that the password should include numbers, lower and upper case letters, and symbols if permitted by the system. This provides potentially higher entropy (i.e., more randomness) so that the password cannot be as easily guessed. Good practice might also be that the password should be as long as possible while still remaining memorable. A password with high-entropy could prove difficult to remember as the characters are more or less random and therefore do not create a ‘‘real’’ word. When creating a password the user should also avoid dictionary words, sequences, and information such as pet names and family member names as this could provide an attacker means by which they could more easily guess the password. An example of a good password therefore could be ‘‘tPi2S4u2g!(%&)’’ (this Password is 2 Strong 4u2 guess!(%&)). This would be a very hardto-guess password as it follows all of the above guidelines. It uses numbers, symbols, and upper and lower case letters and does not spell out a common or dictionary word. It is also unrelated to personal things such as pets. An example of a weak password could be ‘‘password’’ or ‘‘abc123’’ as both would provide very low entropy and could be cracked easily. There are a number of sites that have published weak lists of password such as the Openwall Project.ii This list is based on passwords most commonly seen on a set of


3

E

D P

A

C

S

NOVEMBER 2011


Unix systems in the mid-1990s, sorted for decreasing number of occurrences (i.e., more common passwords are listed first). It has been revised to also include common website passwords from public lists of ‘‘top N passwords’’ from major community website compromises that occurred in 2006 through 2009. A more advanced way to judge how strong a password is is by estimating the length of time and the amount of computer power it would take to crack it. The majority of methods to crack passwords are either brute force where the computer generates sample passwords that will be checked against the actual one until it is successful or dictionary attacks that will search through a list of stored words or phrases until the password is discovered (Van Oorschot & Stubblebine, 2006). A brute force attack consists of attempting as many possible passwords and combinations as time and money allow. Increasing the length and randomness of the password is an effective measure of thwarting such an attack, as a sufficiently long password could conceivably take years to crack by even the most efficient toolkit. At a simplistic level, in a dictionary attack, every word found in various dictionaries and password lists—which contain the most commonly used passwords—is tried in the hopes of finding the correct one (Klein, 1990). Such attacks could be hindered to some degree by using non-native language words instead. Many people incorrectly assume that programs to crack passwords must be created by the hacker, when in actual fact many such toolkitsiii are commercially available for the purposes of allowing users and administrators to check password strength or recover lost passwords (Oltsik, 2009). L0phtCrackiv is a popular tool that has become a mainstay at many leading security consulting firms. It has features such as scheduling, hash extraction from 64-bit Windows versions, multiprocessor algorithms, and networks monitoring and decoding. It provides a scoring metric to quickly assess password quality. Passwords are measured against current industry best practices, and are rated as Strong, Medium, Weak, or Fail. L0phtCrack 6 supports pre-computed password hashes leading to fast password audits. It also imports and cracks Unix password files. Another related method is password stealing, which can be done by inserting key logger software onto a target computer. This software will take note of the keys the user presses when prompted to enter a password and then send this information to the attacker. Some password-accessed sites attempt to circumvent key logging by requesting a user to enter random parts of a password each time they log on, thereby making it more difficult to extract the password (Bonneau & Preibusch, 2010). One definition of password strength is the efficiency of a password in withstanding guessing and brute force attacks. In essence, one such measure estimates an average value of trials an attacker, with no direct access to the password would, need to correctly guess the password. The strength of a password using this metric is calculated as a function of length and symbol sequence. There are two approaches to creating passwords. One is using an computergenerated (pseudo-randomly generated) and the other is human generated. The strength of pseudo-randomly generated passwords against the brute force attack can be calculated and one calculation method is : 4


E D P A C S

NOVEMBER 2011


P ¼ LxR=S where P = the probability that a password can be guessed during the course of its lifetime, L = the maximum lifetime a password can have, R = the number of guesses per unit of time, and S = the number of unique algorithm-generated passwords (the ‘‘password space’’). Password strength is commonly estimated in terms of entropy, which is a concept from information theory that is a branch of applied mathematics and electrical engineering involving the quantification of information (Bellovin, 2008). Password strength can only be estimated. The human mind has a tendency to follow patterns to help remember the password as human memory works mostly by association. Unfortunately, these patterns can assist a possible attacker in gaining access to the password. By knowing something about the target, an attacker can try a guessing attack; while not as successful as the dictionary attack or brute force, it can cut down the time taken to crack a password. The strength of an automated password against a guessing attack or dictionary is very strong. An automated password is very unlikely to come up with a pet name or even a recognizable word if it is a ‘‘random’’ character generator. A Truly Random password cannot be obtained through a password generator as these generators follow a set program that for all intents and purposes produces a random password. However, these passwords are very difficult for anyone to remember without some sort of prompt. This poses a problem; if the passwords are too hard to remember then it makes them more likely to be written down, posing a security risk as literally anyone can get their hands on it. There are numerous ways to attack passwords. The brute force and dictionary attacks have the highest success rate and the guessing method has a high rate of success in certain conditions. There are two ways in which the guessing method could be used effectively. The first is when the attacker knows something about their target such as their favorite music, celebrities, hobbies, football, horse riding, favorite holiday destination, or pet name. The alternative is to recognize that passwords often repeat phrases such as ‘‘qwerty,’’ ‘‘admin,’’ ‘‘password,’’ ‘‘their username,’’ ‘‘12345,’’ or ‘‘pi - 3.14159.’’ This particular method of cracking passwords has a higher success rate for systems that possess a password expiration system, as many people find creating a new password to remember very difficult so they use something simple to recall like the examples above, or a slight variation on their current password. The dictionary type of attack is generally successful on systems that restrict the user’s passwords with a low maximum limit, around 7 or 8 characters. This means that in order to remember their password, users would use a word easily remembered by them, a word usually found in the dictionary (e.g., football or monkey). The system will loop through all words in a given dictionary; however, more recently most dictionary attacks have been upgraded to include an alphanumeric search. In 1989, Daniel Klein cracked 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long (Schneier, 2006). Schneier (2006) analyzed the results


5

E

D P

A

C

S

NOVEMBER 2011

on a phishing attack on MySpace and found that only 3.8 percent of passwords were a single dictionary word, and another 12 percent were a single dictionary word plus a final digit and two-thirds of the time that digit was 1. The brute-force attack computes all possible instances that could be used for a password of x length with y number of characters used. The problem with this, from the hacker’s point of view, is it takes a lot of time to compute but this is a benefit for everyone else, as the longer the password and the more character forms used the stronger the password.

GENERATING SECURE PASSWORDS Downloaded by [University of Ulster at Coleraine] at 07:48 18 November 2011

Password policies help advise users on how to create and maintain a secure password. Password policies will aid users when creating strong passwords, recommend how the user should handle the password (e.g., how often to change the password), and advise on how to change a password that has been forgotten and/or compromised. In the majority of policies, there will be a section about forced password changing. This is a way of guaranteeing that users are keeping their accounts secure but can also cause some users to become confused, which in turn means that they will create weak passwords. An example of a password policy would be the revised version of the password policy for the UK Government. In their policy, they kept the usually parts for policies but they also added a restriction for the layout that the user could use for their passwords. The policy states a password form called the Environ password. This form uses a specific combination that is meant to be used for each password used. The combination is consonant, vowel, consonant, consonant, vowel, consonant, number, number. This might make it easier for the Government employees when creating new passwords; however, there are also some flaws. The first is where a hacker finds out that the Government is using this form for passwords. This should then make it easier to guess all the combinations for the passwords before finding the right one. It is recommended that procedures should also be set in place to allow users to change their passwords in the event of forgetting them or suspecting the password has been compromised; however, such systems can bring their own security risks. Upon the user choosing to reset a password, most systems will challenge the user to verify their identity, usually by asking for answers to preselected questions. These can often be much easier to crack or guess than the actual password as they must generally be simple words or names that are connected to the user (e.g., ‘‘What was your mother’s maiden name?’’). Such answers can usually be obtained via simple research on the attacker’s part if they have learned information about the user. A useful way to avoid this as a user would be to employ misinformation, for instance, assume you have accounts on various social networks listing your favorite band as ‘‘Metallica,’’ and you choose as your password reset question ‘‘What is your favorite band?’’ Any potential hacker who has researched you would naturally enter ‘‘Metallica,’’ but what if the answer you actually chose was a band you dislike and rarely, if

6


E D P A C S


NOVEMBER 2011

ever, listen to? This would make it much harder for an attacker to find out via research. Similarly, sending the new or reset password to the user via e-mail creates even more security risks, as an unprotected e-mail can be just as easy to intercept as an unprotected password. This can be prevented by ensuring that any e-mails sent from the system are suitably encrypted. One solution to the problem of password resets is to have the system create a temporary password that is sent to the user via a relatively secure method, then allowing users to change the password again once they log in using the temporary pass. This eliminates the need for identity verification questions and answers, and the problem of secure transmission of the password can be minimized if only the temporary pass is sent to the user, and not the newly created, permanent password. A technique employed by many systems is the process of password aging, or password decay, whereby users must choose a new password for themselves after a preset period of time (i.e., quarterly or bi-monthly). However, many users will find such a system to be an irritation and will quickly adopt a simple system to ensure they do not forget their passwords, such as simply adding a number to the end at each password reset. The security gained from such a system is also negligible, as anyone who gains a password to access a system will generally use it immediately, making the decaying aspect worthless unless they gained the password on the exact day it decayed. Also, anyone gaining access to an administrator or root account can simply change the system settings to negate the password decay. In general, it would be much better to encourage users to create secure passwords and employ good security for themselves—such as never allowing other people access to their user accounts—than to impose a mandatory system that encourages lazy password creation on the part of the user. Good systems will also keep track of previous passwords for each user, so that they cannot be repeated for X number of cycles. This would prevent the use of PWA/PWB/PWA/PWB cycles (flip-flopping passwords between two choices). When thinking of a secure password we should avoid using words found in a dictionary and common words of slang. It is better to mix between letters and numbers so that it is harder to guess and, in some cases, put people off trying to gain access to the account. A password that would see secure to us (e.g., 8lide8), can be easily guessed by a guessing program. This is because these programs take words from the dictionary and common slang words so that it can guess passwords more efficiently. Good secure passwords are better to be circled around sentences. A good example of this is shown in Figure 1.

Figure 1 Generating passwords through the use of memorable sentences. Sentence used: This Little

Password generated:

Piggy

t

Went To Market

l

p WENT 2 m


7

E

D P

A

C

S

NOVEMBER 2011

Using this method makes it harder to guess either with a guessing program or the human mind, although even these passwords are not 100 percent secure. Most office workers are prone to leaving copies of their passwords. All passwords can be compromised in one way or another. The ‘‘art’’ is to create a technique of generating easy to remember passwords that would take a computer an unrealistic time to crack. There are many guidelines for creating secure passwords; the basic ones are:


Use all available character forms where possible, uppercase, lower, and numbers Length should be around 12 to 14 characters if possible and remain memorable Avoid repetition where possible and avoid personal information Passwords must be memorable to avoid the practice of writing down passwords There are a number of simple basic steps that the user can easily take to create a more secure password and foil unauthorized access to sensitive information. In doing so it is still possible to create a password that will be as secure as possible but yet will be easily remembered. 1. Do not use personal information, which may include your name, children’s names, birth dates, address, and so on. 2. Do not use dictionary words. Modern computers now have the capability of sifting through every word in the dictionary, thus enabling criminals to detect a ‘‘real word’’ password. 3. Use a mixture of different character types. Make use of upper and lower case letters, use some numbers and some special characters such as the asterisk (*) and pound sign (£). 4. Use a pass phrase. This involves using an easily remembered sentence but disguised in such a way that others could not possibly find by guessing or by using tools available on the computer. In this way a variety of secure passwords can be created. There are a number of other precautions to safeguard password and sensitive information. 1. Use different passwords. In order to protect access to bank accounts, business transactions, and so on, use a different username and password for each application that requires protection. This will prevent a hacker from gaining access to all user transactions. 2. Frequent change of passwords. Passwords that protect particularly sensitive information should be changed on a regular basis. This can be done by self discipline on perhaps the first day of every month or three months, as thought best. 3. Group discipline. Where a number of users have a shared access, it is possible to configure the operating system to reject passwords that do not meet minimum requirements (Bradley, 2010). There are a number of other relatively simple precautions to help keep passwords secret. 1. Under no circumstances provide a password in response to an e-mail request. A reputable company will not ask the user to 8


E D P A C S


NOVEMBER 2011

provide this information. Fraudulent e-mails are being used to trick users into revealing names and passwords, leading to identity theft and credit card fraud. 2. Do not use passwords on computers you do not own or control. While computers in Internet cafes, kiosk systems, and those now available while travelling, such as in airport lounges, are convenient for general Internet browsing, do not type passwords onto these computers. They may not be fully protected and there is also the risk that devices may have been planted within them or attached to them. 3. Do not reveal passwords. Although this may seem the most basic advice to be given, it is remarkable how many passwords are passed on to ‘‘trustworthy’’ friends or work colleagues. Despite good intentions, there is the temptation for passwords to be spread further afield, if only as a matter of convenience. 4. Protect recorded passwords. Avoid storing passwords on a computer file as this is an obvious place for someone bent on criminal intent to search. If a large number of passwords are in use and it is necessary to store them, make use of a password management tool (Bradley, 2010). Human-generated passwords more often than not do not result in a very secure password. Humans generally do not achieve good entropy when creating their passwords and normally will create simple, easy to remember passwords such as a row of keys on a keyboard. An analysis of over 3 million 8-character passwords showed the letter ‘‘e’’ was used over 1.5 million times whereas ‘‘f’’ only 0.25 million times. The most common characters were ‘‘a,’’ ‘‘e,’’ ‘‘o,’’ and ‘‘r’’ and ‘‘1’’ was the most common number. There are numerous software programs by which a user can randomly generate a password. These passwords are generated with each character having an equal chance of being selected. If the character set being used had letters, numbers, and symbols, then all of these could be selected for the password. This method would normally be carried out using some software. The strength of the entropy will be determined ultimately by the actual generator itself. Some generators can even produce passwords that are more ‘‘word-like’’ and therefore easier for the user to remember and use. Many of these password generatorsv can be found on the Internet. You can also use a random password generator like Gibson Research Corporation’s Ultra High Security Password Generator, which generates a unique set of high cryptographic-strength password strings. This generator in protected against attack as the page will only allow itself to be displayed over a snoop-proof and proxyproof high-security SSL connection. The page is custom generated every time and cannot be cached or visible to others (Gibson, 2010). A pseudo-random generator uses an algorithm to create a string of characters that are not truly random but actually based off a small set of initial values. Each of the 64 hexadecimal characters encodes 4 bits of binary data, so the entire 64 characters is equivalent to 256 binary bits. In total, when combined with the value of the initialization vector, the monotonic counter and the cipher, the value of the password is actually 512 bits. This results in a possible 2^512 combinations, equating roughly to 1.34078079 · 10^154, which Gibson claims is the amazing number: 13, 407, 807, 929,


9

E

D P

A

C

S

NOVEMBER 2011


942, 597, 099, 574, 024, 998, 205, 846, 127, 479, 365, 820, 592, 393, 377, 723, 561, 443, 721, 764, 030, 073, 546, 976, 801, 874, 298, 166, 903, 427, 690, 031, 858, 186, 486, 050, 853, 753, 882, 811, 946, 569, 946, 433, 649, 060, 084, 096. This makes a brute force attack—which is the only known method of cracking such a password—utterly unfeasible as every single one of the many possible combinations would have to be tried in order to crack the password. The password automatically eludes dictionary attacks as it is not an actual word or phrase and will appear on no existing password lists—unless someone were to make a list containing all those possible variations! However this method is not that practical unless you know a bit about computers or are very paranoid about your password, since it is difficult to remember such a long password string. The method below is a more practical method that still gives you a fairly high degree of security (Scalet, 2005). Step 1: Choose a core phrase. Start with a phrase that is at least five words long. It has to be something memorable to you (not really personal but memorable). Draw your core password from that, perhaps by using the first letter of each word as in tvsimfog, which are the first letters of the sentence ‘‘Tommy vs. SNAKEMAN is my favorite online game.’’ This step protects against the dictionary attack. Step 2: Replace some lowercase letters with capital letters, numbers, or symbols. Make sure to mix them up but do what makes sense to you, so you do not have to write your system down. For instance, the tvsimfog could be changed into Tv$iMf0G. Here, we have capitalized the first and last letters of the phrase, and replaced an ‘‘s’’ with a dollar sign and the ‘‘o’’ with an 0. You could also make ‘‘@’’ stand in for ‘‘a,’’ ‘‘1’’ stand in for ‘‘l,’’ and so on. This step exponentially increases the amount of time it takes for brute force attack that runs through every possible combination of characters until it finds the right one. Rather than guessing from the 26 lowercase letters on the keyboard, the program has to try 52 uppercase and lowercase letters, plus 10 digits and at least 10 more punctuation marks. Yan, Blackwell, Anderson, and Grant (2004) found that telling users to ‘‘remember sequences of upper and lowercase letters’’ was similar to remembering a string of bits, and would be hard to remember and only slightly harder to crack (i.e., 128 times harder for a 7-letter word). Using both letters and numbers leads to the same problem, as it will often cause users to choose simple and well-known substitutions such as ‘‘3’’ for ‘‘E’’ and ‘‘7’’ for ‘‘T.’’ By contrast, the technique of taking a phrase (i.e., The Quick Brown Fox Jumps Over The Lazy Dog) and using the first letter of each word (TQBFJOTD) was found to be as memorable as passwords selected based on their connection to the user, and as difficult to guess or crack as randomly generated passwords. The expected methods of attack are also an important consideration in the selection of a password. If it is expected that the main form of attack will be from a human hacker, then it is possible that simpler passwords will suffice if the choice of password is considered carefully. For instance, a random word that has no apparent connection to the user could be enough to elude an internal 10


E D P A C S


NOVEMBER 2011

attacker wishing to gain access to files that they do not have permission to in a small company. Such methods would be ineffectual against a determined and experienced hacker. There are number of alternatives to traditional passwords. These include single-use passwords. Single-use passwords are used once and then discarded. In some circumstances, it can be a perfect way to avoid security issues; however, it will often inconvenience the user, so care should be taken when implementing such a system. A good example would be a system where the user only needs to log in once or twice every few weeks. Security tokens are similar to single-use passwords but provide an additional layer of defense by adding a one-off password that only exists for several minutes. The value of the password is displayed on a small device, that is usually easy to pocket or attached to a keychain. Without the device, the password is impossible to crack as it only exists for the small window of time that the device is triggered. Biometric methods make use of unalterable personal characteristics to create a login method. Fingerprint scanners and iris scanners are examples of this. Voice biometrics has been introduced in many aspects of the commercial and high security environments. Voice biometrics is a newer area. Voice is unique to each user and so can be used as a ‘‘password.’’ The system can be set up to ask the user to repeat a random phrase in order to overcome the possibility of a voice tape recording being used to gain unauthorized access. However, biometric-based technology can have a high error rate and requires additional hardware components to be installed. Graphical passwords allow the selection of a sequence of images or patterns as a password instead of standard words and numbers. While such a system is potentially more secure than a standard password against hacking tools, users are as likely to choose easily remembered or recognized patterns as they are sequences of words in conventional passwords. Finally, cognitive passwords confirm a user’s identity via a series of questions and answers.

CONCLUSION The creation of secure passwords can be difficult. There are many different ways to do so but the resulting password may then be difficult to remember. Therefore, the user must find a way to create secure and easy to remember passwords. This can prove to be a problem also as the user will normally have numerous different accounts that each require a password. Thus, after creating a secure password for each account it will probably be necessary to record these passwords somewhere. Password management tools on the market can help in this respect, provided the master password is itself secure. It is also worth noting that there is often superior approaches than passwords for authentication, including multifactor authentication using biometrics and/or cryptographic tokens in addition to passwords (Yoichi, 2002).


11

E

D P

A

C

S

NOVEMBER 2011

Notes i. ii. iii. iv. v.

http://www.wow-europe.com http://www.openwall.com/passwords/wordlists/password. http://www.passwordcracking.biz http://www.l0phtcrack.com http://www.goodpassword.com

References


Bellovin, S. (2008). Security by checklist. IEEE Security and Privacy, 6(2), 88. doi:10.1109/MSP.2008.43 Bonneau, J., & Preibusch, S. (2010). The password thicket: Technical and market failures in human authentication on the Web. Workshop on Economics of Information Security. Bradley, T. (2010). Creating secure passwords—Tips for creating strong passwords you can remember, About.com. Retrieved from http://netsecurity.about.com/cs/generalsecurity/a/aa112103b. htm Eston, T. (2010, October 30). Social networks’ threat to security: Weak passwords and insecure personal information could put your company’s data at risk, InformationWeek. Retrieved from http://www.informationweek.com/news/security/vulnerabilities/ showArticle.jhtml?articleID=228000268&queryText=password Flatley, J. (2010, August 16). GPUs democratize brute force password hacking, Engafget. Retrieved from http://www.engadget.com/ 2010/08/16/gpus-democratize-brute-force-password-hacking/ Florencio, D., & Herley, C. (2007). A large-scale study of web password habits. Proceedings of the 16th International Conference on World Wide Web, May 8–12, Banff, Alberta, Canada. doi: 10.1145/1242572.1242661. Gibson, S. (2010, May). Perfect passwords—GRC’s ultra high security password generator. Retrieved from https:// www.grc.com/passwords.htm Klein, D. (1990). Foiling the cracker: A survey of, and improvements to, password security. 2nd USENIX Unix Security Workshop, Usenix, p. 5-1. Oltsik, J. (2009). Identity and information security integration. White Paper, Enterprise Strategy Group. Retrieved from http://www.rsa. com/products/cleartrust/whitepapers/10404_ESG_WP_0909.pdf Scalet, S. (2005, December). How to write good passwords—A good password isn’t a password at all. Instead, it’s a system for creating codes that are easy to remember but hard to crack. CSO Online. Retrieved from http://www.csoonline.com/article/ 220721/how-to-write-good-passwords?page=1 Schneier, B. (2006, December). MySpace passwords aren’t so dumb. Wired News. Retrieved from http://www.schneier.com/ essay-144.html Schneier, B. (2000). Secrets & lies: Digital security in a networked world. New York: Wiley & Sons. Vance, A. (2010, January 20). If your password is 123456, just make it HackMe. New York Times, p. A1. Van Oorschot, P., & Stubblebine, S. (2006). On countering online dictionary attacks with login histories and humans-in-the-loop.

12


E D P A C S

NOVEMBER 2011


ACM Transactions on Information and System Security (TISSEC), 9(3), 235–258. doi: 10.1145/1178618.1178619 Yan, J., Blackwell, A., Anderson, R., & Grant, A. (2004). Password memorability and security: Empirical results. IEEE Security and Privacy, 2(5), 25–31. Yoichi, S. (2002, December). Development of personal authentication systems using fingerprint with smart cards and digital signature technologies. ICARCV’02. GMU ACM/IEEE Digital Libraries, p. 996–1001.

Kevin Curran B.Sc. (Hons), Ph.D., SMIEEE, FBCS CITP, SMACM, FHEA is a Reader in Computer Science at the University of Ulster. His achievements include winning and managing UK & European Framework projects and Technology Transfer Schemes. He has published over 700 works to date. He is the Editor in Chief of the International Journal of Ambient Computing and Intelligence. Dr Curran is a Fellow of the Higher Education Academy, a Fellow of the British Computer Society, and is listed by Marquis in their prestigious Who’s Who in Science and Engineering. He is also listed in the Dictionary of International Biography and by Who’s Who in the World. Kevin can be reached at [email protected] Jonathan Doherty (B.Sc., Ph.D.) is a research associate in the Intelligent Systems Research Centre at the University of Ulster. He has published and holds patents in the area of Song-Form Intelligent Self-Similarity K-Means Clustering to address gaps in streaming music over wireless networks. His research interests include Musical Information Retrieval, Network protocols, Multimedia and Ambient Assisted Living. Ayleen McCann is currently an undergraduate student in Electronics and Computing at the University of Ulster. Ayleen has worked in the IT industry for companies such as SITA. Ayleen’s research interests include concurrent programming and Scala. Gary Turkington is currently a graduate in Computer Science from the University of Ulster. His research interests include programming and security.


13